Apple patches 21 Mac OS X vulnerabilities

Updates Flash Player plug-in, tackles CoreTypes for the third time this year

Apple Monday patched 21 vulnerabilities in Mac OS X, including seven flaws in Flash that the popular media player's maker, Adobe Systems, fixed more than a month ago.

Security Update 2008-008, which was released Monday as part of a broader refresh of Mac OS X 10.5, aka "Leopard," and available separately for users of Mac OS X 10.4, also known as "Tiger," quashes bugs in Apple Type Services, the CoreGraphics rendering component, Kernel, LibSystem and other pieces of the operating system.

At least half a dozen of the patches were tagged by Apple with its usual "arbitrary code execution" phrasing, a sign that the vulnerabilities are serious and, if exploited, could result in a hacker hijacking the machine.

While all 21 of the vulnerabilities affect Leopard, which was updated to version 10.5.6, only 15 of them affect Tiger, Apple's oldest still-supported OS.

Apple also updated the Flash Player plug-in it ships with Mac OS X to bring the software in line with the versions Adobe rolled out November 5 and November 17. Although Adobe updated Flash for all users, Mac included, and made the new versions available for downloading, Apple includes the fixes in its own operating system updates because it bundles the plug-in with all its computers.

"The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0," said Apple in the security advisory that accompanied Monday's patches. These fixes will be moot for users who have already updated to Flash Player 10 on their own, however.

Other vulnerabilities that Apple patched Monday plug holes that could lead to everything from a denial of service or unintentional disclosure of private information to an unexpected system shutdown or access to the Podcast Producer component of Apple's server software.

Several of the patches address bugs that could be exploited through a browser, including two fixes to CoreGraphics and one to CoreTypes. Hackers could exploit one of the two CoreGraphics vulnerabilities with a malformed image file, while the second -- which could conceivably result in the hijacking of user credentials -- could be exploited simply by duping users into visiting a malicious Web site.

Apple also patched CoreTypes to block additional file types from being opened after a user downloads them. Safari, for example, relies on the component's Download Validation function to warn users against opening dangerous or risky file types. "This update adds to the list of potentially unsafe types," said Apple's advisory. "It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands."

CoreType's Download Validation feature had already been patched twice this year. Apple added more file types to the warning list in both the May 2008-003 update and June's 2008-004, when it patched 40 flaws and 25 bugs, respectively.

Security Update 2008-008 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately on the latter; those patches were rolled into the Mac OS X 10.5.6 upgrade also released Monday.

The security update alone weighs in at a 133MB download, while the combination Mac OS X 10.5.6/2008-008 is even heftier at 372MB.

Join the PC World newsletter!

Error: Please check your email address.

Tags security patchApple

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?